Project Sekai - ✅-crypto-adi-shamirs-spontaneously-setec-astronomy-sharing-system-security-assessment

Project Sekai

🔒 UMDCTF 2023 / ✅-crypto-adi-shamirs-spontaneously-setec-astronomy-sharing-system-security-assessment

Adi Shamir's Spontaneously Setec Astronomy Sharing System Security Assessment - 500 points

Category: Crypto Description: "And this is why I'm different. Sometimes my mask takes over." - Elliot Alderson Author: clam Files:

https://umdctf.io/files/efe1daaf0ffd941f0a31f15d84bfac3c/chall.zip?token=eyJ1c2VyX2lkIjoxNDcsInRlYW1faWQiOjY4LCJmaWxlX2lkIjo0Mn0.ZExCDg.-AgXSWeEFJDXQh7qdexriaMedXw

Tags: No tags.

Sutx pinned a message to this channel. 04/28/2023 3:00 PM

@Violin wants to collaborate

@unpickled admin bot wants to collaborate

@fleming wants to collaborate

@kanon wants to collaborate

02:18

@Y4nhu1 wants to collaborate

@Utaha wants to collaborate

code for my mobile use

from os import urandom
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
from PIL import Image
import numpy as np

p = next_prime(2^128)
F = GF(p)
R.<x> = PolynomialRing(F)

key = urandom(16)
secret = int.from_bytes(key, 'big')
k = 64
n = 128
poly = R.random_element(k-2) * x + F(secret)

px = []
for i in range(1, n+1):
    bits = list(map(np.uint8, bin(int(poly(i)))[2:].zfill(128)))
    row = [0] * 512
    for j in range(4): row[j::4] = bits
    for j in range(4): px.append(row)

im1 = Image.fromarray(np.asarray(px)*255, 'L').convert('RGBA')

with Image.open("mask.png") as im2:
    Image.alpha_composite(im1, im2).save("out.png")
    
with open("flag.png", "rb") as f, open("flag.png.enc", "wb") as g:
    cipher = AES.new(key, AES.MODE_CBC)
    g.write(cipher.iv + cipher.encrypt(pad(f.read(), 16)))

is the reverse of Image.alpha_composite possible, not sure

13:39

will need to experiment

based on the image, I guess they are trying to mask some bit

13:47

Image attachment

Image attachment

13:47

but some rows are not masked and we can make it back to 128-bit integer?

13:48

the image is 512 * 512

13:49

and it is indeed 4 pixel per square

13:49

Image attachment

ill be back after lunch

13:53

oh ok so we only have partial information about im1

13:53

the non masked part

1 is white 0 is black idk why

13:59

and one number is one row

13:59

so indeed we don't have full 64 rows

from PIL import Image
import numpy as np

matrix = [[(255, 0, 0) for j in range(128)] for i in range(128)]

with Image.open("out.png").convert('RGB') as im:
    for i in range(128):
        for j in range(128):
            pixels = [im.getpixel((i * 4 + x, j * 4 + y)) for x in range(4) for y in range(4)]
            if all(pixel == (255, 255, 255) for pixel in pixels):
                matrix[j][i] = (255, 255, 255)
            if all(pixel == (0, 0, 0) for pixel in pixels):
                matrix[j][i] = (0, 0, 0)

out_im = Image.fromarray(np.asarray(matrix, np.uint8), 'RGB')
out_im.save("extract.png")

14:16

Image attachment

14:16

I might miss a few information (blocks where some of them are B/W some of them are masked), but I guess this should be good enough

14:16

and image coordinate swap x and y

14:22

number of bits missing per row (sorted) (edited)

14:22

[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 5, 7, 7, 8, 8, 8, 8, 8, 9, 9, 10, 11, 11, 11, 11, 12, 12, 12, 13, 13, 13, 14, 15, 15, 15, 15, 15, 16, 16, 16, 17, 17, 17, 17, 17, 17, 17, 18, 18, 18, 18, 18, 18, 19, 19, 19, 19, 19, 19, 19, 20, 20, 20, 21, 22, 22, 22, 22, 23, 23, 24, 24, 25, 25, 25, 25, 26, 26, 26, 27, 27, 27, 28, 30, 32, 36, 37, 40, 41, 42, 46, 48, 49, 51, 52, 52, 52, 52, 52, 52, 53, 54, 54, 54, 54, 54, 54, 55, 56, 56, 57, 57, 57, 57, 58, 58, 58, 59, 59, 60, 60]

(edited)

14:22

we have 16 "free" numbers

prob just a huge LLL

14:53

no other idea lol

hm

14:54

there should be enough data for LLL cuz mask isnt too large

14:54

whats the size?

14:54

512 512?

128 * 128

oh

14:55

4 blocks to 1 right

yeah

14:55

the dim is a bit too big, we probably should merge unknown bits together

14:55

I mean if we have <known><unknown><known><unknown><known>

14:55

we should treat the middle one as unknown

14:56

not sure if that's good enough tho

14:58

[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 5, 7, 7, 8, 8, 8, 8, 8, 9, 9, 10, 11, 11, 11, 12, 12, 12, 13, 13, 13, 15, 15, 15, 16, 16, 17, 17, 17, 17, 17, 18, 18, 18, 18, 18, 18, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 19, 20, 20, 20, 20, 21, 22, 22, 22, 22, 23, 23, 24, 24, 25, 25, 25, 26, 26, 26, 27, 27, 27, 28, 50, 51, 52, 52, 52, 52, 52, 52, 53, 53, 53, 53, 54, 54, 54, 54, 54, 55, 56, 57, 57, 57, 58, 58, 58, 59, 59, 60, 60, 60, 61, 61, 61, 61, 61, 61, 61, 61, 62]

it doesn't change too much, I'll give it a try

yeah i dont think u can brute, each is 4 blocks

sahuang

yeah i dont think u can brute, each is 4 blocks

ye that was mb

idk if LLL works but thats prob the only thing we can try

15:05

considering defund did it in 2 hrs, prob LLL

def solve_chall(obj):
  return obj.LLL()

sahuang

considering defund did it in 2 hrs, prob LLL

defund too good :<

utaha is

true

15:07

i was reading his sol to other challs (edited)

15:08

ngl i woke up like an hour ago, checked this server, and crypto was like all solved minus this cuz of utaha

(edited)

I'm just stealing solves :p

15:19

I'm now running LLL on 192 * 192 matrix

15:19

15:19

1.39 KB

15:19

if you want to have the same fun

Lmao

don't know how long it's gonna take

i regret not setting up the server i got now

15:19

i got this like

15:19

really beefy physical server

15:20

and i literally put down "LLL in random ctfs" as a reason for it

15:20

not word for word but

Utaha

I'm just stealing solves :p

still orz

actually not that slow, but my terminal can't store all the output and I have to run it again lol

15:27

I'm expecting a lot of bugs tho

Utaha

I'm expecting a lot of bugs tho

can you run on a smaller version first then?

~~I have a dream~~

:O

naive LLL not good enough, I might have to add in those 16 equations to reduce the number of variables

I forgot that the 128-bit secret is not the flag :<

19:52

debug for nothing

19:52

Image attachment

19:53

god

UMDCTF{y0u_pull3d_@_g3m_0ut_0f_th3_m3ss}}

Utaha

I forgot that the 128-bit secret is not the flag :<

wait so was it just lll? (edited)

19:53

yeah

did you need to add in the 16 equations?

the script I sent has bug tho

unpickled admin bot

did you need to add in the 16 equations?

I didn't

oh

19:54

lmaooo

19:54

prob not intended

really? I feel like there's no other way to do this (edited)

hmmm

Utaha

used /ctf solve

✅ Challenge solved.

~~ill ask clam~~

yeah go ahead lol

i said you just used LLL and he said no way

19:56

so

wtf

wtf

imma go out on a limb and say unintended

lmfao

ok I'll ask clam myself

kk lmaooo

19:57

nvm

Image attachment

19:57

@Utaha intended

lmao ok

oh ok

19:59

that's

19:59

a bit confusing lol

his no way tripped me up mb

idk I just messaged them but too lazy to delete all messages lmao

Exported 110 message(s)